[Japanese]

JVNDB-2022-001494

Trend Micro Apex Central and Trend Micro Apex Central as a Service vulnerable to improper check for file contents

Overview

Trend Micro Apex Central and Trend Micro Apex Central as a Service provided by Trend Micro Incorporated are vulnerable to improper check for file contents (CWE-345, CVE-2022-26871).

Trend Micro Incorporated states that attacks has been observed.

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High
Affected Products


Trend Micro, Inc.
  • Apex Central 2019 prior to Build 6016
  • Apex Central as a Service prior to Build 202203

Impact

A remote attacker may upload an arbitrary file in the product. As a result, arbitrary code may be executed.
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.

* Trend Micro Apex Central 2019 Patch3 (Build 6016)

The issue in Trend Micro Apex Central as a Service is fixed in the March 2022 updates.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Insufficient Verification of Data Authenticity(CWE-345) [Other]
CVE (What is CVE?)

  1. CVE-2022-26871
References

  1. JVN : JVNVU#99107357
  2. JPCERT REPORT : JPCERT-AT-2022-0008
Revision History

  • [2022/03/31]
      Web page was published

Date Public2022/03/30
Date First Published2022/03/31
Date Last Updated2022/03/31